Answered by:

How do you configure DNS/AD in a Hyper-V environment so you can still access the internet?

Question

Is there a "Best Practise" to configure a "fake" VM domain on the fringe of the real internet?

My goal is to have Hyper-V based "Data Centre" test system running in my home environment. ie: A VM for AD (DNS &/or DHCP), another as an AD mirror. Then any others I need to spin up for testing SQL, Sharepoint, Team Server etc.

I'd like the VM servers to be able to see each other & also the internet.

I'd like other PC's in the house to interact with the Virtual Environment.

If possible, I'd like the AD in the VM to authenticate my Home accounts & register my home machines as part of that domain.

1st problem: AD needed a FQDN & I don't have one. I'd like to invent one & use it. But I don't know how to have the VM's DNS to play nice with the real internet DNS service. It complains that there is no entry for the FQDN in my router's DNS.
(Understandable, I don't really want a bogus domain name escaping into the internet).

It also complains that the DNS server shouldn't have a loopback address as its first entry.

Ideally I'd like the boundary to my "Fake" domain to be at the ISP router, as opposed to a Virtual network on the host.

Do I need to put all VM's on "Private" Virtual network & then create an ISA server VM to connect the private network to the "External" netcard. Or do I give each VM 2 networks; one internal & the other external?

Is there some way to keep DNS happy by using Conditional Forwarders. or should I be changing the IP4 Protocol with an Alternate Configuration.

In Short: Is there some way that all my Virtual servers & physical PC's can see the Active Directory in the VM, & also see the rest of the internet? But not let my fake domain collide with a real world.

Answers

Whether it is on physical or virtual machines does not matter. Basically your DHCP server must hand out static address of AD server as primary DNS server address so clients can find DC. Then put the ISP's DNS addresses in the forward lookup of your DNS server
so clients can find internet. Also make sure your server has static IP address outside of DHCP scope. 127.0.0.1 is Ok but AD/DNS server should have its own address first in DNS list.

I find the best way is to set up AD on a private virtual network with its own private subnet. To give it Internet access run one vm as a NAT router (or TMG) with its public NIC connected to the LAN.

You can then proceed just as you would for a physical network behind a NAT router. Run DHCP on the DC and not on the NAT router. Give the clients the NAT router for a gateway but the DC for DNS. (AD works best with no other DNS addresses, even as
secondaries). Modify the local DNS to forward to a public DNS (your ISP or 4.2.2.2) service to resolve foreign URLs.

If you want physical machines on your LAN to be in the domain as well you would use an external virtual network rather than private (so that the vms and the physicals are in the same network. This would need to be a different NIC from the
one connecting the host to the DSL router). I would not join the host machine to the domain. Leave the host as a "black box" powering your vms and the host/DSL link as a pseudo DMZ.

So you need two NICs in the host. One connects to your DSL router. Only the host and the public side of your NAT router vm use this network and this IP subnet. The other NIC connects to a switch to which all your physical machines (except the vm host)
connect. This network is behind your NAT router and is your domain network containing all your physical and virtual server and workstations (except the vm host). The "boundary" of your domain will be the NAT router.

>•I'd like the VM servers to be able to see each other & also the internet.
>•I'd like other PC's in the house to interact with the Virtual Environment.
>•If possible, I'd like the AD in the VM to authenticate my Home accounts & register my home machines as part of that domain.

We can have physical NIC on host directly be attached to each VM ,mean they can share a “real” NIC at same time . After that we can have VPN service on edge router and create a connect to this Hyper-V datacenter network form home across over internet in
order to access it form remote home network.

All replies

Whether it is on physical or virtual machines does not matter. Basically your DHCP server must hand out static address of AD server as primary DNS server address so clients can find DC. Then put the ISP's DNS addresses in the forward lookup of your DNS server
so clients can find internet. Also make sure your server has static IP address outside of DHCP scope. 127.0.0.1 is Ok but AD/DNS server should have its own address first in DNS list.

I find the best way is to set up AD on a private virtual network with its own private subnet. To give it Internet access run one vm as a NAT router (or TMG) with its public NIC connected to the LAN.

You can then proceed just as you would for a physical network behind a NAT router. Run DHCP on the DC and not on the NAT router. Give the clients the NAT router for a gateway but the DC for DNS. (AD works best with no other DNS addresses, even as
secondaries). Modify the local DNS to forward to a public DNS (your ISP or 4.2.2.2) service to resolve foreign URLs.

If you want physical machines on your LAN to be in the domain as well you would use an external virtual network rather than private (so that the vms and the physicals are in the same network. This would need to be a different NIC from the
one connecting the host to the DSL router). I would not join the host machine to the domain. Leave the host as a "black box" powering your vms and the host/DSL link as a pseudo DMZ.

So you need two NICs in the host. One connects to your DSL router. Only the host and the public side of your NAT router vm use this network and this IP subnet. The other NIC connects to a switch to which all your physical machines (except the vm host)
connect. This network is behind your NAT router and is your domain network containing all your physical and virtual server and workstations (except the vm host). The "boundary" of your domain will be the NAT router.

>•I'd like the VM servers to be able to see each other & also the internet.
>•I'd like other PC's in the house to interact with the Virtual Environment.
>•If possible, I'd like the AD in the VM to authenticate my Home accounts & register my home machines as part of that domain.

We can have physical NIC on host directly be attached to each VM ,mean they can share a “real” NIC at same time . After that we can have VPN service on edge router and create a connect to this Hyper-V datacenter network form home across over internet in
order to access it form remote home network.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.